CN116249972A - Memory protection method and protection agent control device - Google Patents

Memory protection method and protection agent control device Download PDF

Info

Publication number
CN116249972A
CN116249972A CN202080104550.1A CN202080104550A CN116249972A CN 116249972 A CN116249972 A CN 116249972A CN 202080104550 A CN202080104550 A CN 202080104550A CN 116249972 A CN116249972 A CN 116249972A
Authority
CN
China
Prior art keywords
protection
physical page
page table
authority information
accelerator
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202080104550.1A
Other languages
Chinese (zh)
Inventor
刘君龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN116249972A publication Critical patent/CN116249972A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • G06F12/1466Key-lock mechanism
    • G06F12/1475Key-lock mechanism in a virtual system, e.g. with translation means
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/10Address translation
    • G06F12/1027Address translation using associative or pseudo-associative address translation means, e.g. translation look-aside buffer [TLB]
    • G06F12/1045Address translation using associative or pseudo-associative address translation means, e.g. translation look-aside buffer [TLB] associated with a data cache
    • G06F12/1054Address translation using associative or pseudo-associative address translation means, e.g. translation look-aside buffer [TLB] associated with a data cache the data cache being concurrently physically addressed
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1416Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
    • G06F12/1425Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
    • G06F12/1441Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block for a range
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a memory protection method and a protection agent control device. When the accelerator or the IO device requests to access the system memory by the direct physical address, the protection agent control device can acquire the authority information of the physical page table where the physical address requested to access by the data stream is located according to the identification of the data stream of the accelerator or the IO device, and perform authority check on the memory access request according to the authority information, and allow the accelerator or the IO device to access the direct physical address when the authority check passes, so that the security of the system memory is ensured.

Description

Memory protection method and protection agent control device Technical Field
The present disclosure relates to the field of computer processing technologies, and in particular, to a memory protection method and a protection agent control device.
Background
In recent years, the use of hardware accelerators (accelerators) has become more and more widespread. By utilizing some interface techniques, the accelerator may be more logically integrated with the central processing unit (central processor unit, CPU). For example, in a heterogeneous system architecture (heterogeneous system architecture, HSA), by utilizing shared virtual memory (shared virtual memory, SVM) technology, virtual address space and cache (cache) can be shared between the accelerator and CPU, resulting in consistency of software programming.
However, these interface technologies, while bringing about performance improvements and reduced power consumption, also present serious security and isolation risks. Particularly when the accelerator or input-output (IO) device is designed to be produced by a third party manufacturer, there may be a number of risks to the system memory if the accelerator or IO device is allowed to access the system memory at a direct physical address. For example, if it accesses a physical address space for which there is no read right, confidentiality of system memory may be compromised; if it accesses a physical address space where it has no write permission, the correctness of the system memory is compromised.
For this reason, there is a trust zone mechanism under the ARM architecture in the prior art, which divides the system resources of software and hardware into two parts, secure world (secure world) and general world (normal world), so as to prevent the unsafe accelerator/IO devices from accessing the system memory belonging to the Operating System (OS). Under this mechanism, the process in the general world can access only the system resources in the general world, and the process in the secure world can access the system resources in the general world as well as the system resources in the secure world. Since the system resources are divided into the safe world and the general world, the protection granularity of the system memory is coarse, and the mechanism cannot provide effective protection for the processes belonging to the general world.
Disclosure of Invention
The application provides a memory protection method and a protection agent control device, which are used for checking memory access authority when an accelerator or IO device directly uses a physical address to access a system memory, so that the safety of the system memory is effectively ensured.
In a first aspect, the present application provides a memory protection method, which may be executed by a protection agent control device, the method including: receiving a memory access request from an accelerator or an input/output (IO) device, wherein the memory access request comprises an identifier of a data stream of the accelerator or the IO device and a first physical address for requesting access; according to the identification of the data stream of the accelerator or the IO equipment, reading authority information corresponding to a first physical page table where a first physical address is located, wherein the authority information corresponding to the first physical page table is used for indicating whether the data stream has read authority and/or write authority in the first physical page table; and performing authority check on the memory access request according to the authority information corresponding to the first physical page table, and allowing the memory access request to access the first physical address if the authority check is passed.
By adopting the technical scheme, when the accelerator or the IO device requests the direct physical address to access the system memory, the protection agent control device can acquire the authority information of the first physical page table where the data stream accesses the first physical address according to the identification of the data stream of the accelerator or the IO device, and perform authority check on the memory access request according to the authority information, and the direct physical address access of the accelerator or the IO device is allowed when the authority check passes, so that the security of the system memory is ensured.
In one possible design of the first aspect, the reading, according to the identifier of the data stream of the accelerator or the IO device, permission information corresponding to a first physical page table where a first physical address is located may include: determining a physical page table protection table corresponding to the data stream and a protection table cache according to the identification of the data stream of the accelerator or the IO device, wherein the physical page table protection table stores authority information corresponding to at least one physical page table, and the protection table cache is a cache of the physical page table protection table; judging whether authority information corresponding to the first physical page table exists in the protection table cache according to the identification of the first physical page table, and if so, reading the authority information corresponding to the first physical page table from the protection table cache; if the authority information does not exist, the authority information corresponding to the first physical page table is read from the physical page table protection table, and the authority information corresponding to the first physical page table is loaded into the protection table cache.
By adopting the technical scheme, the corresponding protection table cache is set for the physical page table protection table corresponding to one data stream and is used for caching the authority information of the physical page table in the physical page table protection table, when the protection agent control device needs to acquire the authority information of the data stream in a certain physical page table, the data stream can be searched in the corresponding protection table cache, and when the data stream cannot be searched, the data stream can be searched in the physical page table protection table, so that the searching efficiency of the authority information can be effectively improved.
In one possible design of the first aspect, one entry of the protection table cache stores authority information corresponding to one or more physical page tables, and the entry of each physical page table where the authority information corresponding to each physical page table is located in the protection table cache is indexed according to the hash value of the identifier of the physical page table. Therefore, on the premise of ensuring the searching efficiency, the storage space of the protection table cache can be fully utilized, and the resource utilization rate is improved.
In one possible design of the first aspect, the reading, according to the identifier of the data stream of the accelerator or the IO device, permission information corresponding to a first physical page table where a first physical address is located may include: determining a physical page table protection table corresponding to the data stream according to the identification of the data stream of the accelerator or the IO device, wherein the physical page table protection table stores authority information corresponding to at least one physical page table; and reading authority information corresponding to the first physical page table from the physical page table protection table according to the identification of the first physical page table.
In one possible design of the first aspect, before the reading, according to the identifier of the data stream of the accelerator or the IO device, permission information corresponding to the first physical page table where the first physical address is located, the method further includes: reading a protection flow table entry corresponding to a flow identifier of a data flow of the accelerator or the IO device in a protection flow table, wherein the protection flow table entry comprises first control information and second control information, the first control information is used for indicating whether global authority information of a physical page table protection table corresponding to the data flow is unreadable or not, and the second control information is used for indicating a boundary range of the physical page table protection table; if the global authority information of the physical page table protection table is not unreadable or unwritable according to the first control information and the second control information, and the first physical address is located in the boundary range of the physical page table protection table, the authority information corresponding to the first physical page table where the first physical address is located is read.
By adopting the technical scheme, the protection flow table entry corresponding to the data flow is established in the protection flow table, and various control configuration information can be set for the data flow, so that the access control function is realized.
In one possible design of the first aspect, the protection flow table entry further includes third control information, where the third control information is used to indicate a protection granularity of the physical page table protection table; before the authority information corresponding to the first physical page table where the first physical address is located is read, the method further includes: and determining a first physical page table where the first physical address is located according to the boundary range and the protection granularity of the physical page table protection table.
In one possible design of the first aspect, the protection flow table entry further includes fourth control information, where the fourth control information is used to indicate whether a function of checking memory access rights is opened for the data flow; after the protection flow table entry corresponding to the flow identifier of the data flow of the accelerator or the IO device in the protection flow table is obtained, the method further includes: and according to the fourth control information, determining that the function for checking the memory access authority for the data stream is started.
In one possible design of the first aspect, the method further comprises: receiving an identification of a data stream of the accelerator or the IO device, a first physical address and authority information of the accelerator or the IO device for accessing the first physical address from a translation proxy unit; if the authority information corresponding to the first physical page table where the first physical address is located exists in the protection table cache corresponding to the data stream, and the authority information corresponding to the first physical page table in the protection table cache is inconsistent with the authority information of the accelerator or the IO device which is received from the translation agency unit and accesses the first physical address, updating the authority information corresponding to the first physical page table in the protection table cache and the physical page table protection table corresponding to the data stream according to the authority information of the accelerator or the IO device which is received from the translation agency unit and accesses the first physical address.
In one possible design of the first aspect, the method further comprises: if the authority information corresponding to the first physical page table where the first physical address is located does not exist in the protection table cache corresponding to the data stream, the authority information of the accelerator or the IO device, which is received from the translation agency unit, for accessing the first physical address is used as the authority information corresponding to the first physical page table where the first physical address is located, and is written into the physical page table protection table and/or the protection table cache corresponding to the data stream respectively.
By adopting the technical scheme, before the accelerator or the IO device initiates direct physical address access by using the physical address obtained from the translation proxy unit, the protection proxy control device can refresh the protection table cache and the authority information of the corresponding physical page table in the physical page table protection table according to the physical address obtained from the translation proxy unit and the corresponding authority information, so that the follow-up authority checking of the memory access request of the accelerator or the IO device by using the accurate authority information is ensured, and the safety of the system memory is ensured.
In one possible design of the first aspect, the method further comprises: receiving page table invalidation information from a page table management module, the page table invalidation information comprising an identification of a data stream of the accelerator or IO device and an identification of one or more physical page tables that are invalidated; and updating authority information corresponding to the invalidated one or more physical page tables in the protection table cache corresponding to the data flow and the physical page table protection table into unreadable and unwritable data.
In one possible design of the first aspect, the method further comprises: receiving page table invalidation information from a page table management module, wherein the page table invalidation information comprises identification of a data stream of the accelerator or the IO device and indication information for performing global invalidation on a physical page table related to the data stream; and setting the global authority information of the physical page table protection table corresponding to the data flow stored in the protection flow table entry corresponding to the identification of the data flow in the protection flow table as unreadable and unwritable.
By adopting the technical scheme, the protection agent control device can perform corresponding processing when the physical page table related to the data flow of the accelerator or the IO device is invalidated, so that the authority information of the invalidated physical page table can be updated into unreadable and unwritable data in time, thereby avoiding subsequent access to the invalidated physical page table and ensuring the safety of a system memory.
In a second aspect, the present application provides a protection proxy control device, where a protection flow table and a physical page table protection table corresponding to at least one data flow are provided in the protection proxy control device, and the protection proxy control device implements access control on an accelerator or an IO access system memory of a third party through the protection flow table and the physical page table protection table corresponding to at least one data flow.
The protection flow table comprises protection flow table entries corresponding to the at least one data flow, and control configuration information of the data flow is stored in the protection flow table entry corresponding to each data flow; the physical page table protection table corresponding to each data stream stores at least one authority information corresponding to a physical page table, and the authority information corresponding to each physical page table is used for indicating whether the data stream has a read authority and/or a write authority in the physical page table.
In one possible design of the second aspect, the protection agent control device further includes a protection table buffer memory of each physical page table protection table, where the protection table buffer memory is used to buffer authority information corresponding to a physical page table in the physical page table protection table.
In one possible design of the second aspect, the control configuration information includes one or more of the following information: the data flow management system comprises first control information, second control information, third control information, fourth control information and fifth control information, wherein the first control information is used for indicating whether global authority information of a physical page table protection table corresponding to the data flow is unreadable or not, the second control information is used for indicating the boundary range of the physical page table protection table corresponding to the data flow, the third control information is used for indicating the protection granularity of the physical page table protection table corresponding to the data flow, the fourth control information is used for indicating whether a function of checking memory access authority is started for the data flow, and the fifth control information is used for indicating whether an accelerator or IO device to which the data flow belongs is controlled to initiate virtual address access only.
In a third aspect, embodiments of the present application provide a protection agent control device, which has a function of implementing the first aspect or any one of the possible designs of the first aspect. The functions of the device may be implemented by hardware, or may be implemented by executing corresponding software by hardware, where the hardware or software includes one or more modules or units corresponding to the functions described above.
In one possible design, the apparatus includes a processing module and a transceiver module in a structure of the apparatus, where the processing module is configured to support the apparatus to perform the corresponding functions in the first aspect or any of the designs of the first aspect. The transceiver module is used for supporting communication between the device and other communication equipment (such as an accelerator or an IO device). The apparatus may also include a memory module coupled to the processing module that holds the program instructions and data necessary for the apparatus. As an example, the processing module may be a processor, the communication module may be a transceiver, and the storage module may be a memory, where the memory may be integrated with the processor, or may be separately provided from the processor, and the application is not limited thereto.
In another possible design, the device may include a processor and may also include a memory. The processor is coupled to the memory and operable to execute computer program instructions stored in the memory to cause the apparatus to perform the method of the first aspect, or any one of the possible designs of the first aspect. Optionally, the apparatus further comprises a communication interface, the processor being coupled to the communication interface. The communication interface may be a transceiver or an input/output interface or, when the device is embodied as a chip, the communication interface may be an input/output interface of the chip. Alternatively, the transceiver may be a transceiver circuit and the input/output interface may be an input/output circuit.
In a fourth aspect, embodiments of the present application provide a chip system comprising a processor coupled to a memory for storing a program or instructions which, when executed by the processor, cause the chip system to implement the method of any one of the possible designs of the first aspect or the first aspect.
Optionally, the system on a chip further comprises an interface circuit for interacting code instructions to the processor.
Alternatively, the processor in the chip system may be one or more, and the processor may be implemented by hardware or software. When implemented in hardware, the processor may be a logic circuit, an integrated circuit, or the like. When implemented in software, the processor may be a general purpose processor, implemented by reading software code stored in a memory.
Alternatively, the memory in the system-on-chip may be one or more. The memory may be integral with the processor or separate from the processor, and is not limited in this application. For example, the memory may be a non-transitory processor, such as a ROM, which may be integrated on the same chip as the processor, or may be separately provided on different chips, and the type of memory and the manner of providing the memory and the processor are not specifically limited in this application.
In a fifth aspect, embodiments of the present application provide a computer-readable storage medium having stored thereon a computer program or instructions which, when executed, cause a computer to perform the method of the first aspect or any of the possible designs of the first aspect.
In a sixth aspect, embodiments of the present application provide a computer program product which, when read and executed by a computer, causes the computer to perform the method of the first aspect or any of the possible designs of the first aspect.
In a seventh aspect, embodiments of the present application provide a computer system that includes a protection agent control device as described herein, and a CPU, at least one accelerator of a third party, or an IO device coupled to the protection agent control device.
Drawings
FIGS. 1a to 1d are schematic diagrams of system architectures applicable to embodiments of the present application;
fig. 2 is a schematic structural diagram of a protection agent control device according to an embodiment of the present application;
FIG. 3a is a schematic diagram of a protection flow table according to an embodiment of the present disclosure;
FIG. 3b is a schematic diagram of a secondary protection flow table according to an embodiment of the present disclosure;
FIG. 3c is a schematic diagram of a protection flow table of a process level according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a physical page table protection flow according to an embodiment of the present application;
FIG. 5 is a schematic diagram of a protection table cache according to an embodiment of the present disclosure;
FIG. 6 is a schematic diagram of a memory protection method according to an embodiment of the present disclosure;
FIG. 7 is a schematic diagram of a PAC device directly controlled by system software according to embodiments of the present application;
FIGS. 8 a-8 d are schematic diagrams illustrating the general flow of the memory protection method according to the embodiments of the present application;
fig. 9 is another schematic structural diagram of a protection agent control device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application more apparent, the embodiments of the present application will be described in further detail with reference to the accompanying drawings.
It should be noted that the specific operation method in the method embodiment of the present application may also be applied to the device embodiment or the system embodiment. The term "plurality" means two or more, and in view of this, the term "plurality" may also be understood as "at least two" in the embodiments of the present application. "at least one" may be understood as one or more, for example as one, two or more. For example, including at least one means including one, two or more, and not limiting what is included. For example, at least one of A, B and C is included, then A, B, C, A and B, A and C, B and C, or A and B and C may be included. Likewise, the understanding of the description of "at least one" and the like is similar. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a exists alone, A and B exist together, and B exists alone. The character "/", unless otherwise specified, generally indicates that the associated object is an "or" relationship.
Unless stated to the contrary, the embodiments of the present application refer to ordinal terms such as "first," "second," etc., for distinguishing between multiple objects, and are not intended to limit the order, timing, priority, or importance of the multiple objects, nor are the descriptions of "first," "second," etc., to limit the objects to be different.
The memory protection method provided by the embodiment of the application can be executed by a protection agency control (protection agent control, PAC) device, and is used for checking the access authority of the access request of the accelerator or the direct physical address of the IO device from the third party to the system memory.
Specifically, the PAC apparatus may be integrated into an existing input-output memory management unit (input-output memory management unit, IOMMU)/system memory management unit (system memory management unit, SMMU) system as a standard address access protection module, or may be integrated between an accelerator and a system memory or between an IO device and a system memory as only one proxy module. By setting the PAC device, all access requests from the accelerator/IO device to access the system memory through the direct physical address can be checked whether the access requests have corresponding access rights through the PAC module, so that the safety of the system memory is ensured.
For example, the technical solution provided in the present application may be applied to a system on chip (SoC) system integrated with a third-party accelerator. As shown in fig. 1a, the SoC system includes a system memory, a CPU, an accelerator (acel) from an untrusted third party, and the PAC device, where the PAC device is integrated between the system memory and the third party accelerator, and has an effect of protecting the system memory. The SoC system also comprises a memory management unit (memory management unit, MMU), a translation look-up buffer (translation lookaside buffer, TLB), an address translation service (address translation service, ATS) and other modules which are respectively matched with the CPU and the third-party accelerator.
The technical scheme provided by the application can also be applied to a computing network system expanded through a PCI Express bus. As shown in fig. 1b, the CPU interfaces with external IO devices via a PCI Express bus to form a computing network system. The PAC device is integrated in the host, the IO device of the PCI Express bus realizes the ATS function of the PCI Express protocol, and the IO device locally realizes the address translation cache (address translation cache, ATC) function. The IO device can acquire the physical address needing direct memory access from the host in advance through an ATS mechanism and then buffer the physical address to a local ATC module. Thus, when the IO device needs direct memory access, the IO device can directly initiate a physical address to access the host memory, the IOMMU/SMMU is not needed to walk the page table, and the system memory can be safely accessed only through the authority check of PAC.
The technical scheme provided by the application can also be applied to a computing network system which is not expanded by the PCI Express bus. As shown in FIG. 1c, the CPU interfaces with external IO devices via a non-PCI Express bus to form a computing network system. The host integrates the PAC device, and the bus supports an ATS mechanism similar to a PCI Express bus, so that the IO device can acquire the physical address of the system memory space in advance when direct memory access is required, and then the physical address is cached to a local ATC module. In this way, when the IO device needs direct memory access, the IO device can directly initiate a physical address to access the host memory, at the moment, the IOMMU/SMMU is not needed to walk the page table any more, and the system memory can be safely accessed only through the authority check of PAC.
The technical scheme provided by the application can also be applied to a hybrid high-performance computing system architecture. In this computing system, as shown in fig. 1d, the CPU is connected to a plurality of external IO devices through a PCI Express bus, and in addition, the CPU is connected to an external accelerator through a non-PCI Express bus, where all the IO devices/accelerators support ATS or mechanisms similar to ATS, so that the physical address of the system memory space that needs direct memory access can be obtained in advance. The PAC apparatus of the present application is implemented between these IO devices/external accelerators and the system memory. In addition, the CPU is internally integrated with a third-party accelerator (such as a third-party accelerator IP), and the PAC device of the application is also realized between the third-party accelerator and the system memory. By setting the PAC device between the UI system memories of the IO device and the accelerator, the security protection of the system memories accessed by the IO device and the accelerator can be realized.
Referring to fig. 2, a schematic structural diagram of a Protection Agent Control (PAC) device according to an embodiment of the present application is shown. The PAC device comprises a protection flow table (protection stream table, PST) and at least one physical page table protection table (physical page protection table, PPPT) corresponding to the data flow. Optionally, to improve table lookup performance, a protection table cache (protection table cache, PTC) for each physical page table protection table may also be included in the PAC apparatus.
The protection flow table, the physical page table protection table and the protection table cache implemented in the PAC device are described in detail below.
1. Protection flow meter
The protection flow table includes at least one protection flow table entry (protection stream table entry, PSTE) corresponding to a data flow, and control configuration information corresponding to the data flow is stored in the protection flow table entry corresponding to each data flow.
The control configuration information may include one or more of first control information, second control information, third control information, fourth control information, and fifth control information for one data stream. The first control information is used for indicating whether global authority information of a physical page table protection table corresponding to the data stream is unreadable or not, the second control information is used for indicating a boundary range of the physical page table protection table corresponding to the data stream, the third control information is used for indicating protection granularity of the protection stream table corresponding to the data stream, the fourth control information is used for indicating whether a function of checking memory access authority is started for the data stream, and the fifth control information is used for indicating whether an accelerator or IO device to which the data stream belongs is controlled to initiate virtual address access only.
It should be noted that, in the embodiment of the present application, the protection flow table may provide a software programming interface for the outside, through which the system software may set control configuration information for different data flows respectively. Since the control configuration information corresponding to the different data streams is set separately and independent from each other, the content of the information included in the control configuration information corresponding to the different data streams may be the same or different, which is not limited in this application.
In this embodiment, the protection flow table is indexed based on the identification of the data flow. Thus, for a data flow, the protection flow table entry corresponding to the data flow can be located according to the identifier of the data flow, and then the control configuration information corresponding to the data flow can be obtained from the corresponding protection flow table entry. As described above, the second control information in the control configuration information is used to indicate the boundary range of the physical page table protection table corresponding to the data stream, where the boundary range of the physical page table protection table may also be understood as the range of the physical addresses of all the physical page tables involved in the physical page table protection table. For example, the second control information may include information such as a base address and a size of the physical page table protection table.
The identification of the data stream is used for distinguishing the data streams of different accelerators or IO devices, and the identification of the data stream can be mapped with the device identification of the accelerator or IO device one by one. The identification of the data stream may also be referred to as stream identification number (stream ID) and the device identification may also be referred to as device identification number (device ID). For example, the identifier of the data Stream may be a Stream identifier (Stream ID) in SMMU under ARM architecture, and the device identifier may be a Requester identifier (Requester ID) in PCI Express bus, where the Requester ID is mapped to the Stream ID one by one, so that PCI Express bus can be implemented under ARM architecture.
Please refer to fig. 3a, which is a schematic diagram of a protection flow table according to an embodiment of the present application. The protection flow table includes a plurality of protection flow table entries of PSTE0, PSTE1, PSTE2, PSTE3,. The protection stream table is indexed by the identity (stream ID) of the data stream, i.e. one data stream corresponds to one protection stream table entry, which can be indexed according to the identity of the different data streams. For example, data stream 0 may correspond to PSTE0 shown in fig. 3a, which PSTE0 may be indexed according to the identity of data stream 0; data stream 1 may correspond to PSTE1 shown in fig. 3a, which PSTE1 may be indexed according to the identity of data stream 1; data stream 2 may correspond to PSTE2 shown in fig. 3a, which PSTE2 may be indexed according to the identity of data stream 2; the data stream 3 may correspond to the PSTE3 shown in fig. 3a, which PSTE3 may be indexed according to the identity of the data stream 3.
Taking the protection flow table entry PSTE0 as an example, the protection flow table entry may include the following fields of control configuration information:
1) An EN field for indicating whether a Protection Agent Control (PAC) mechanism is enabled, i.e., whether the data stream is checked for permission to directly access the system memory using the physical address. The EN is the fourth control information above, and indicates whether to open the function of checking the memory access rights for the data stream.
For example, the EN field may be represented by one bit. When the EN field has a value of 1, it may indicate that PAC mechanism is enabled, and that checking of memory access rights is required for all memory access requests from the data stream. When the EN field has a value of 0, it may indicate that the PAC mechanism is not enabled, and no check of memory access rights is performed on the memory access request from the data stream.
2) And the Zero field is used for indicating whether the physical page table protection table corresponding to the data stream is in an initialization period, and if so, the authority information of all the physical page tables in the physical page table protection table corresponding to the data stream is unreadable or unwritable. The Zero field is the first control information above, and is used for indicating whether the global authority information of the physical page table protection table corresponding to the data stream is unreadable or not.
3) The OU field is used for indicating whether to control the accelerator or the IO device to which the data stream belongs to initiate virtual address access only and cannot initiate physical address access. The OU field is the fifth control information above, and is used to indicate whether to control the accelerator or the IO device to which the data stream belongs to only initiate virtual address access.
For example, the OU field may be represented by a bit, where when the bit has a value of 1, it may indicate that only the accelerator or IO device to which the data stream belongs is allowed to initiate virtual address access, and no physical address access is allowed to be initiated; when the bit has a value of 0, it may indicate that the accelerator or the IO device to which the data stream belongs is allowed to initiate a physical address access. If the PAC device receives a memory access request from a certain accelerator or IO device, and requests to directly use a physical address to access a certain block of address space in the system memory, then the PAC device may query, in the protection flow table, a corresponding protection flow table entry according to the identifier of the data flow of the accelerator or IO device, and at this time, if the value of the OU field in the protection flow table entry is 1, the PAC device may determine that the accelerator or IO device to which the data flow belongs needs to be controlled only to initiate virtual address access, and further reject the memory access request.
4) And the PGS field is used for indicating the checking granularity when the memory access authority checking is carried out on the data stream. In this embodiment of the present application, the PAC apparatus may perform the checking of the memory access rights in units of physical page tables, so the checking granularity refers to the size of each physical page table, that is, the protection granularity of the physical page table protection table. The PGS field is the third control information above, and is used to indicate the protection granularity of the physical page table protection table corresponding to the data stream.
5) (PAC base address_h field, PAC base address_l field) for indicating the base address of the physical page table protection table to which the data stream corresponds. The PAC base address_h field (i.e., PAC base address_h field) indicates the upper N bits of the base address of the physical page table protection table, and the PAC base address_l field (i.e., PAC base address_l field) indicates the lower N bits of the base address of the physical page table protection table. The N value may be, for example, 32, i.e., PAC base address_h field and PAC base address_l field are used to indicate upper 32 bits and lower 32 bits, respectively, of the base address of the physical page table protection table.
6) A PAT boundary (boundary) field for indicating the size of the physical page table protection table to which the data stream corresponds.
The (PAC base address_h field, PAC base address_l field) and PAT boundary field are the second control information above, through which the boundary range of the physical page table protection table corresponding to the data stream, that is, the interval range of the physical address related to the physical page table in the physical page table protection table, can be uniquely determined, so that the subsequent inquiry of the physical page table protection table according to the physical address or the identity of the physical page table is facilitated, and the memory access authority of the data stream is determined.
The above-mentioned fields are examples of control configuration information in the protection flow table entry, and other control configuration information may be included in the protection flow table entry, which is not limited in this application. Further, since the protection flow table can provide a software programming interface to the outside, the system software can expand more other control configuration information in the protection flow table entry through the software programming interface, thereby enhancing the security and the expandability of the access control.
In one possible implementation manner, the protection flow table in the embodiment of the present application may also be a secondary protection flow table, and the secondary protection flow table may also be understood as a protection flow table with a secondary index. Fig. 3b is a schematic diagram of a secondary protection flow table according to an embodiment of the present application. Specifically, the secondary protection flow table means that the protection flow table is divided into two stages, each entry (Desc) in the upper protection flow table stores description information of a sub protection flow table, the description information of different sub protection flow tables points to different protection flow tables in the lower protection flow table, and each entry (PSTE) in the lower protection flow table stores control configuration information of a corresponding data flow.
The two-stage protection flow tables can be indexed by the identification of the data flow. In the upper protection flow table, according to the identification of the data flow, different entries may be indexed in the upper protection flow table. It should be noted that the identification of one data stream may correspond to one entry in the upper protection stream table, but one entry in the upper protection stream table may correspond to the identification of one or more data streams, or to an interval of one data stream identification. That is, in the upper level protection flow table, the identities of the data flows may be in a one-to-one or many-to-one relationship with the entries, and a unique entry may be indexed in the upper level data flow table according to the identity of one data flow, but the identities of different data flows may be indexed to the same entry in the upper level data flow table.
In the next-stage protection flow table, different entries can be indexed in the next-stage protection flow table according to the identification of the data flow, and the identification of the data flow corresponds to the entries in the next-stage protection flow table one by one. The unique entry can be indexed in the next-stage protection flow table according to the identification of a data flow, and the control configuration information corresponding to the data flow is stored in the unique entry.
In the embodiment of the invention, the data flow table is set to be in the form of the secondary protection flow table, so that the query efficiency of the data flow table can be improved when the number of the data flows is large, and the protection flow table entry corresponding to the data flow can be more efficiently searched, and the corresponding control configuration information can be acquired.
In yet another possible implementation manner, the protection flow table in the embodiment of the present application may also be a process-level protection flow table. Specifically, the protection flow table mentioned in the foregoing application may be understood as a protection flow table at a device level, which refers to different protection flow table entries in the protection flow table corresponding to data flows of different accelerators/IO devices, so that control configuration information may be set for data flows of different accelerators/IO devices respectively, and data flows of different accelerators/IO devices may correspond to different physical page table protection tables, so that access control may be performed for data flows of different accelerators/IO devices respectively.
The protection flow table of the process level refers to a sub-data flow for further distinguishing different processes in the data flow of one accelerator/IO device, and correspondingly, the sub-protection flow table of the process level is created for the data flow under the protection flow table of the device level. The sub protection flow table comprises at least one sub protection flow table entry corresponding to the sub data flow, and the sub data flows of different processes correspond to the different sub protection flow table entries in the sub protection flow table, so that control configuration information can be respectively set for the sub data flows of different processes in the data flow, and the sub data flows of different processes can correspond to different physical page table protection tables, thereby respectively performing access control for the sub data flows of different processes in one data flow and effectively improving the fineness of the access control.
Fig. 3c is a schematic diagram of a protection flow table at a process level according to an embodiment of the present application, where, as shown in fig. 3c, the protection flow table at a device level includes at least one protection flow table entry corresponding to a data flow. The data flow of one accelerator or IO device corresponds to one protection flow table entry, different protection flow table entries are indexed based on the identity of the data flow, and the identity of the data flow is mapped one by one with the device identity of the accelerator or IO device.
The at least one data stream referred to in the protection stream table may include a data stream requiring access control for each of the sub-data streams of different processes in the data stream (i.e., a data stream requiring access control from the hierarchy of the processes), or may include a data stream not requiring access control for each of the sub-data streams of different processes in the data stream (i.e., a data stream requiring access control from the hierarchy of the data streams). In view of this, in the protection flow table at the device level, the protection flow table entry corresponding to each data flow may further include an indication information for indicating whether the data flow is a sub data flow for which access control is required for different processes, respectively, and the indication information may be represented by one bit.
For a data stream, if access control needs to be performed on sub-data streams of different processes in the data stream, description information of a sub-protection stream table of the data stream may be stored in a protection stream table entry corresponding to the data stream, where the description information of the sub-protection stream table points to the sub-protection stream table of the data stream.
Further, the sub protection flow table of the data flow includes at least one sub protection flow table entry corresponding to the sub data flow. One sub-data flow corresponds to one sub-protection flow table entry, different sub-protection flow table entries are indexed based on identities of the sub-data flows, identities of the sub-data flows are used for distinguishing sub-data flows of different processes in a data flow of one accelerator or IO device, and the identities of the sub-data flows can be mapped with identities of the processes one by one. For one sub-data flow, the sub-protection flow table entry corresponding to the sub-data flow stores the control configuration information corresponding to the sub-data flow. The specific information content included in the control configuration information corresponding to the sub-data stream may refer to the description of the control configuration information corresponding to the data stream hereinabove, and will not be repeated here.
For a data stream, if access control is not required to be performed on sub-data streams of different processes in the data stream, control configuration information corresponding to the data stream may be stored in a protection stream table entry corresponding to the data stream; or, the description information of the sub protection flow table of the data flow may be stored in the protection flow table entry corresponding to the data flow, where the description information of the sub protection flow table points to the sub protection flow table of the data flow, but the sub protection flow table of the data flow includes only one sub protection flow table entry, where the control configuration information applicable to the sub data flow of all the processes of the data flow is stored.
2. Physical page table protection table
The physical page table protection table corresponding to each data stream is used for storing authority information corresponding to at least one physical page table. Specifically, for a data stream, the corresponding physical page table protection table includes at least one physical page table protection table entry corresponding to a physical page table, and each physical page table protection table entry corresponding to a physical page table stores authority information of the data stream in the physical page table, where the authority information is used to indicate whether the data stream has a read authority and/or a write authority in the physical page table. For example, the authority information may be represented by 2 bits, wherein a value of 1 bit (R) is used to indicate whether there is read authority, and a value of another 1 bit (W) is used to indicate whether there is write authority. It will be appreciated that the read permission refers to whether the data stream has permission to perform a read operation on the physical page table, and the write permission refers to whether the data stream has permission to perform a write operation on the physical page table.
The physical page table protection table may be indexed based on physical addresses aligned to the size of the protection granularity, such as an identification of the physical page table, a physical page table number (physical page number, PPN), etc. Thus, if an accelerator or an IO device wants to directly use a physical address to access a memory space, the PAC device may locate, according to an identifier of a data flow of the accelerator or the IO device, a protection flow table entry corresponding to the data flow in a protection flow table, determine, by an indication of control configuration information of the data flow stored in the protection flow table entry, a physical page table number of a physical page table where a physical address of the memory space where the accelerator or the IO device requests to access is located, and then locate, according to the physical page table number of the physical page table, a physical page table protection table entry corresponding to the physical page table in a physical page table protection table, and further obtain permission information of the data flow in the physical page table from the physical page table protection table entry, to determine whether the data flow has a read permission in the physical page table and whether the data flow has a write permission in the physical page table.
Referring to fig. 4, a schematic diagram of a physical page table protection flow table according to an embodiment of the present application is provided. The physical page table protection table is a flattened table (flattened table) based on a physical address space, in which information indicating access rights of a data stream in each physical page table, that is, the rights information mentioned above, is stored. As an example, the access rights include read rights and write rights, and accordingly, each physical page table in the physical page table protection table may have 2 bits of rights information. The 1-bit permission information in the 2-bit permission information may be referred to as permission information R, and is used to indicate whether the data stream has a read permission in the data page table, for example, the data stream may be indicated to have a read permission (i.e. may be read) when the value of the permission information R is 1, and may be indicated to not have a read permission (i.e. may not be read) when the value of the permission information R is 0. The other 1 bit of authority information may be referred to as authority information W, and is used to indicate whether the data stream has write authority in the data page table, for example, when the value of the authority information R is 1, it may indicate that the data stream has write authority (i.e. may be written), and when the value of the authority information W is 0, it may indicate that the data stream does not have write authority (i.e. may not be written).
Thus, after the physical address to be accessed by the accelerator or the IO device is obtained, the physical page table number of the physical page table where the physical address is located can be determined according to the physical address and the protection granularity of the physical page table protection table, then the physical page table protection table is queried according to the physical page table number, the physical page table protection table entry corresponding to the physical page table is located, and further whether the data stream of the accelerator or the IO device has the access right in the physical page table is determined according to the right information of the physical page table stored in the physical page table entry.
3. Protection table cache
Each physical page table protection table may have a corresponding protection table cache for caching authority information corresponding to a physical page table in the physical page table protection table. The protection table cache may also be referred to as a protection table cache, or may also be referred to as a physical page table protection table cache or a physical page table protection table cache, which is not limited in this application.
As a cache of a physical page table protection table, the protection table cache usually stores the recently accessed or more frequently accessed permission information, so that the hit rate of the protection table cache may be higher. When the authority information corresponding to a certain physical page table of a data stream is required to be searched in the physical page table protection table, the data stream can be firstly searched in the protection table cache of the physical page table protection table, and if the data stream cannot be searched in the protection table cache, the data stream is searched in the physical page table protection table, so that the searching efficiency of the authority information is effectively improved.
It may be understood that in the embodiment of the present application, a certain cache replacement algorithm may be used to load the authority information in the physical page table protection table into the protection table cache, and delete the authority information with low utilization rate or longer access time cached in the protection table cache according to the performance requirement, so that the authority information of which physical page tables are cached in the cache of the physical page table protection table is dynamically changed.
In particular, for a physical page table protection table, the protection table cache of the physical page table protection table may also include a plurality of entries, and different entries may also be indexed based on physical addresses, such as a physical address number or an identification of a physical page table (e.g., a physical page table number PPN), etc. In one possible implementation, one entry in the protection table cache may store only the permission information corresponding to one physical page table, where only 2 bits of useful information are present in one entry.
In another possible implementation, considering that the authority information corresponding to one physical page table is only 2 bits, the number of bits occupied by each entry of the protection table cache is fixed and may be generally greater than 2 bits, for example, may be 8 bits, so that storing the authority information of each physical page table in one entry separately may cause waste of storage resources. In view of this, in order to efficiently utilize the storage space in the protection table cache, as shown in fig. 5, authority information (pages) corresponding to one or more physical page tables may be stored in the same entry of the protection table cache, where different entries may be indexed by the hash value of the identity of the physical page table, i.e., where the tag (tag) of each entry of the protection table cache is the hash value of the identity of the physical page table. As an example, the hash value may be a divisor obtained by dividing a physical page table number by the maximum number of authority information of physical page tables that can be stored in one entry of the protection table cache, and authority information indicating a plurality of physical page tables whose physical page table numbers are consecutive may be stored in the same entry of the protection table cache. It should be noted that the hash algorithm employed in calculating the hash value from the identity of the physical page table is not particularly limited in this application.
The physical page table protection table and the protection table cache are described by taking the protection flow table as a protection flow table at a device level, and taking the physical page table protection table and the protection table cache corresponding to the data flow under the condition that the data flows of different accelerators or IO devices are respectively subjected to access control as an example. It may be appreciated that in the embodiment of the present application, different data flows may correspond to different protection flow table entries in the protection flow table, and different data flows may correspond to different physical page table protection tables and protection table caches. This means that access rights can be set for different data streams, respectively, and access control can be performed, respectively.
In one possible implementation, different data flows may also correspond to the same protection flow table entry in the protection flow table, and different data flows may correspond to the same physical page table protection table and protection table cache. This means that the access rights of the data streams of all accelerator/IO devices are uniform, and that a uniform rights control can be performed on all data streams. It should be noted that in this case, it is no longer necessary to index protection flow table entries according to the identity of the data flow, since the protection flow table only includes one protection flow table entry, and the control configuration information corresponding to the data flows of all accelerators or IO devices is the same, the memory access authority may be checked by looking up the same physical page table protection table and protection table cache.
It should be further understood that, when the protection flow table is a process-level protection flow table, and access control is further performed on sub-data flows of different processes in the same data flow respectively on the basis of distinguishing data flows of different accelerators or IO devices, a physical page table protection table and a protection table cache corresponding to the sub-data flows may be implemented by a method similar to the above description, which is not repeated in the present application.
Based on the system architecture and PAC apparatus, please refer to fig. 6, which is a flow chart of a memory protection method provided in an embodiment of the present application, the method includes:
in step S601, the PAC apparatus receives a memory access request from an accelerator or an IO device, where the memory access request includes an identifier of a data flow of the accelerator or the IO device and a first physical address where the accelerator or the IO device requests access.
In step S602, the PAC apparatus reads authority information corresponding to a first physical page table where a first physical address is located according to an identifier of a data stream of an accelerator or an IO device, where the authority information corresponding to the first physical page table is used to indicate whether the data stream has a read authority and/or a write authority in the first physical page table.
Optionally, before reading the authority information corresponding to the first physical page table where the first physical address is located, the PAC device may determine, according to the first physical address, the configured boundary range of the physical page table protection table corresponding to the data flow, and the protection granularity of the physical page table protection table, an identifier of the first physical page table where the first physical address is located, for example, may be a physical page table number of the first physical page table.
In this embodiment of the present application, the PAC apparatus may read the authority information of the first physical page table where the first physical address is located through the following two possible implementations:
in one possible implementation manner, the PAC apparatus may determine a physical page table protection table corresponding to the data flow of the accelerator or the IO device according to the identifier of the data flow of the accelerator or the IO device, and then read authority information of the first physical page table from physical page table protection table entries corresponding to the identifier of the first physical page table in the physical page table protection table according to the identifier of the first physical page table.
In another possible implementation manner, the PAC apparatus may determine, according to the identifier of the data flow of the accelerator or the IO device, a physical page table protection table corresponding to the data flow of the accelerator or the IO device and a protection table cache of the physical page table protection table. And then searching the authority information of the first physical page table in the protection table cache according to the identification of the first physical page table, and if the authority information of the first physical page table is searched in the protection table cache, reading the authority information of the first physical page table from the protection table cache. Otherwise, if the authority information of the first physical page table cannot be found in the protection table cache, the authority information of the first physical page table is read from the physical page table protection table according to the identification of the first physical page table, and the authority information of the first physical page table is loaded into the protection table cache.
In step S603, the PAC device performs authority checking on the memory access request according to the authority information corresponding to the first physical page table, and if the authority checking passes, allows the memory access request to access the first physical address. Otherwise, the memory access request is denied access to the first physical address.
Specifically, the PAC apparatus performing the permission check on the memory access request according to the permission information corresponding to the first physical page table may include: if the memory access request requests to execute a read operation at the first physical address, and the authority information corresponding to the first physical page table indicates that the data stream of the accelerator or the IO device has a read authority, namely, can be read at the first physical page table, the authority check passes. Accordingly, the PAC apparatus allowing the memory access request to access the first physical address at this time means allowing the data stream of the accelerator or the IO device to read the information stored in the first physical address, that is, allowing the read operation to be performed at the first physical address.
If the memory access request requests to execute a read operation at the first physical address, but the authority information corresponding to the first physical page table indicates that the data stream of the accelerator or the IO device has no read authority, i.e. is unreadable, in the first physical page table, the authority check is not passed, and the PAC device shall reject the memory access request to access the first physical address.
If the memory access request requests to execute writing operation at the first physical address and the authority information corresponding to the first physical page table indicates that the data stream of the accelerator or the IO device has writing authority, namely writing, at the first physical page table, the authority check passes. Accordingly, the PAC apparatus allowing the memory access request to access the first physical address at this time means that the data stream of the accelerator or the IO device is allowed to write new information in the first physical address, that is, write operation is allowed to be performed at the first physical address.
If the memory access request requests to execute a write operation at the first physical address, but the authority information corresponding to the first physical page table indicates that the data stream of the accelerator or the IO device does not have write authority, i.e. cannot be written in the first physical page table, the authority check is not passed, and the PAC device shall reject the memory access request to access the first physical address.
If the memory access request requests to execute a read operation and a write operation at the first physical address, and the authority information corresponding to the first physical page table indicates that the data stream of the accelerator or the IO device has the read authority and the write authority at the same time in the first physical page table, namely, the data stream can be read and written, the authority check passes. Correspondingly, the PAC means allowing the memory access request to access the first physical address means allowing the data stream of the accelerator or the IO device to read the information stored in the first physical address, and also allowing the data stream of the accelerator or the IO device to write new information in the first physical address, that is, allowing the data stream of the accelerator or the IO device to execute the read operation and the write operation at the first physical address.
If the memory access request requests to execute a read operation and a write operation at the first physical address, but the authority information corresponding to the first physical page table indicates that the data stream of the accelerator or the IO device does not have a read authority (i.e. is unreadable) in the first physical page table, or the authority information corresponding to the first physical page table indicates that the data stream of the accelerator or the IO device does not have a write authority (i.e. is not writable) in the first physical page table, the authority check is failed, and the PAC device shall reject the memory access request to access the first physical address.
Optionally, before executing step S602 to read the authority information of the first physical page table where the first physical address is located, the PAC apparatus may further read a protection flow table entry corresponding to the flow identifier of the data flow of the accelerator or the IO device in the protection flow table. As described above, the protection flow table entry stores control configuration information of a data flow of the accelerator or the IO device, which includes first control information for indicating whether global authority information of a physical page table protection table corresponding to the data flow is unreadable or not, second control information for indicating a boundary range of the physical page table protection table, third control information for indicating protection granularity of the physical page table protection table, fourth control information for indicating whether a function of checking memory access authority is opened for the data flow, and the like.
In this way, after the PAC apparatus reads the protection flow table entry corresponding to the flow identifier of the data flow of the accelerator or the IO device in the protection flow table, it may first determine, according to the indication of the fourth control information, whether the function of checking the memory access right for the data flow is started. If so, indicating that the memory access rights need to be checked for the data stream, the PAC apparatus may continue the process of checking the memory access rights later. If not, it means that the memory access rights are not checked for the data stream, at which point the PAC apparatus can route the access directly onwards.
After determining that the function of checking the memory access right for the data stream is started, the PAC device can determine whether to control the data stream to only initiate virtual address access and not initiate physical address access according to the indication of the fifth control information. If the fifth control information indicates that the data stream can only initiate virtual address access and cannot initiate physical address access, the PAC apparatus may directly reject the access. If the fifth control information indicates that the data stream can initiate a physical address access, the PAC apparatus may continue a flow of checking memory access later.
Then, the PAC device may determine, according to the indication of the first control information, whether global authority information of the physical page table protection table corresponding to the data flow is unreadable or not, and determine, according to the boundary range of the physical page table protection table corresponding to the data flow indicated by the second control information, whether the first physical address is located within the boundary range of the physical page table protection table.
If the global authority information of the physical page table protection table corresponding to the data stream indicated by the first control information is unreadable or unwritable, the first control information indicates that all physical page tables related to the physical page table protection table are inaccessible, namely the authority information of all physical page tables is unreadable or unwritable. This may be the case because the memory access request comes before the initialization of the physical page table protection table, at which point the PAC apparatus may directly reject the access. Similarly, if the first physical address is outside the boundary range of the physical page table protection table indicated by the second control information, it indicates that the accelerator or the data stream of the IO device attempts to access an address space outside its authority range or invisible or unknown to it, and the PAC apparatus may also directly reject the access.
If the global authority information of the physical page table protection table corresponding to the data stream indicated by the first control information is not unreadable or unwritable, and the first physical address is located within the boundary range of the physical page table protection table indicated by the second control information, the PAC device may read the authority information of the first physical page table where the first physical address is located.
Optionally, before reading the authority information of the first physical page table where the first physical address is located, the PAC apparatus may determine, according to the first physical address, the boundary range of the physical page table protection table corresponding to the data stream indicated in the second control information, and the protection granularity of the physical page table protection table corresponding to the data stream indicated in the third control information, an identifier of the first physical page table where the first physical address is located, for example, obtain a physical page table number of the first physical page table, and then execute step S602, and read the authority information of the data stream in the first physical page table from the physical page table protection table or from a protection table cache of the physical page table protection table.
Optionally, the PAC apparatus may further perform a procedure of refreshing the protection table before performing step S601. Specifically, the PAC apparatus may receive, from the translation proxy unit, an identification of a data stream of the accelerator or the IO device, a first physical address where the data stream requests access, and authority information of the accelerator or the IO device to access the first physical address.
In this embodiment of the present application, the translation agent unit is a functional unit configured to translate a virtual address into a corresponding physical address. The translation proxy unit may receive an address translation request from an accelerator or an IO device, where the address translation request includes an identification of a data stream of the accelerator or the IO device, and a first virtual address of the accelerator or the IO device requesting translation. After receiving the address translation request, the translation proxy unit translates the first virtual address into a corresponding first physical address, and then sends the first physical address carried in an address translation result to the accelerator or the IO device. In addition, the translation proxy unit may send the address translation result to the PAC device synchronously, where the address translation result includes the first physical address, and send related information such as an identifier of a data stream of the accelerator or the IO device, and authority information of a first physical page table where the accelerator or the IO address accesses the first physical address.
After receiving the identifier of the data flow of the accelerator or the IO device and the request of the accelerator or the IO device to access the first physical address from the translation proxy unit, the PAC apparatus may determine, according to the identifier of the data flow of the accelerator or the IO device, a protection flow table entry corresponding to the identifier of the data flow from the protection flow table, and read control configuration information of the data flow from the corresponding protection flow table entry. Furthermore, the PAC apparatus determines, according to the control configuration information of the data stream, a physical page table protection table corresponding to the data stream of the accelerator or the IO device, and an identifier of a first physical page table where the first physical address is located.
Further, the PAC apparatus may determine whether the authority information of the first physical page table stored in the physical page table protection table corresponding to the data flow of the accelerator or the IO device is consistent with the authority information of the accelerator or the IO device to access the first physical address received from the translation proxy unit, that is, whether the physical page table protection table corresponding to the data flow of the accelerator or the IO device stores the accurate access authority of the data flow in the first physical page table.
Specifically, if the protection table cache of the physical page table protection table corresponding to the data stream stores authority information corresponding to the first physical page table, and the authority information corresponding to the first physical page table stored in the protection table cache is inconsistent with the authority information of the accelerator or the IO device, which is received by the PAC device from the translation proxy unit, for accessing the first physical address, the PAC device may update the physical page table protection table corresponding to the data stream and the authority information corresponding to the first physical page table stored in the protection table cache according to the authority information of the accelerator or the IO device, which is received by the PAC device from the translation proxy unit, for accessing the first physical address.
That is, the PAC apparatus may consider the authority information of the accelerator or the IO device received from the translation agency unit to access the first physical address, as an accurate access authority of the accelerator or the IO device at the first physical page table. If the authority information stored in the physical page table protection table and the protection table cache corresponding to the data stream is inconsistent with the access authority, the accurate authority information received from the translation proxy unit is used for refreshing the authority information of the first physical page table stored in the physical page table protection table and the protection table cache, so that the PAC device is ensured to use the accurate authority information when checking the memory access authority by using the authority information stored in the physical page table protection table or the protection table cache.
If the protection table cache of the physical page table protection table corresponding to the data stream stores the authority information corresponding to the first physical page table, and the authority information corresponding to the first physical page table stored in the protection table cache is consistent with the authority information of the accelerator or the IO device, which is received by the PAC device from the translation proxy unit, for accessing the first physical address, the PAC device can be used nothing.
If the protection table cache of the physical page table protection table corresponding to the data stream does not store the authority information corresponding to the first physical page table, the PAC device may write the authority information of the accelerator or the IO device accessing the first physical address received from the translation proxy unit as the authority information corresponding to the first physical page table into the physical page table protection table corresponding to the data stream and/or the protection table cache of the physical page table protection table respectively.
Specifically, the PAC device may newly establish a physical page table protection table entry in the physical page table protection table corresponding to the data flow, establish a mapping relationship between the physical page table protection table entry and the identifier of the first physical page table, and then store the authority information of the accelerator or the IO device for accessing the first physical address into the physical page table protection table entry. The method of writing the authority information of the accelerator or the IO device to access the first physical address into the protection table cache by the PAC device is similar to the method, and will not be described again.
Alternatively, the associated physical page table may be updated during the operation of the accelerator or IO device. For example, there may be a new physical page table to be established, or a change in the mapping between virtual addresses to physical addresses. At this point, the system software may choose to invalidate some of the physical page tables, or to invalidate all of the physical page tables associated with a process in the accelerator or IO device, or even to invalidate all of the physical page tables associated with the accelerator or IO device. In either case, the page table management module in the system software knows which physical page tables are invalidated, and sends the information of the invalidated physical page tables to the PAC device, so that the PAC device performs corresponding processing, including refreshing control configuration information corresponding to the data flow of the accelerator or the IO device stored in the protection flow table, and authority information of the invalidated physical page tables stored in the physical page table protection table.
In particular, in one possible implementation, PAC apparatus may receive page table invalidation information from a page table management module, the page table invalidation information including an identification of a data stream of the accelerator or IO device and an identification of one or more physical page tables that are invalidated. Furthermore, the PAC apparatus may update the physical page table protection table corresponding to the data stream and the authority information corresponding to the invalidated one or more physical page tables in the corresponding protection table cache to be unreadable or unwritable.
In another possible implementation, the PAC apparatus may receive page table invalidation information from the page table management module, the page table invalidation information including an identification of a data stream of the accelerator or the IO device and indication information to globally invalidate a physical page table associated with the data stream. Furthermore, the PAC apparatus may set global authority information of a physical page table protection table corresponding to the data stream in the protection stream table to be unreadable or unwritable. If the number of physical page tables related to the data stream is smaller, the PAC device may also select to traverse the physical page table protection table corresponding to the data stream and/or the physical page tables in the protection table cache, and set authority information of each physical page table to be unreadable or unwritable one by one, which is not limited in this application. This embodiment may be referred to as global invalidation based on stream identification (stream ID).
In yet another possible implementation manner, the PAC apparatus may receive page table invalidation information from the page table management module, where the page table invalidation information includes an identification of a data flow of the accelerator or the IO device, an identification of a sub-data flow of a process in the accelerator or the IO device, and indication information for globally invalidating a physical page table related to the sub-data flow. In this scenario, if the protection flow table is a process-level protection flow table, and the sub-data flow of each process in the accelerator or the IO device has a corresponding physical page table protection table, the PAC apparatus may set global authority information of the physical page table protection table corresponding to the sub-data flow in the sub-protection flow table of the data flow to be unreadable or unwritable. Or if the number of the physical page tables related to the sub data stream is smaller, the PAC device may select to traverse the physical page table protection table corresponding to the sub data stream and/or the physical page tables in the protection table cache, and set authority information of each physical page table as unreadable or unwritable one by one. This embodiment may be referred to as global invalidation based on sub-stream identification (sub-stream ID).
It should be noted that, in the embodiment of the present application, the physical page table protection table and the protection table cache in the PAC apparatus may be automatically maintained and refreshed by hardware. It should be noted, however, that this approach requires an accelerator or IO device to support an address translation service (address translation service, ATS) mechanism or other similar mechanism, such as a distributed translation interface (distributed translation interface, DTI) mechanism under the ARM architecture. The ATS mechanism refers to that the accelerator or the IO device carries information such as an identifier of a data stream of the accelerator or the IO device, an identifier of a sub data stream (if needed), a start address of a virtual address space, a space size, and the like, and applies for a physical address space corresponding to the virtual address space to a system translation agent (translation agent, TA), so that the accelerator or the IO device can acquire information such as the corresponding address space and related address space attributes before accessing a system memory.
Alternatively, the physical page table protection table and protection table cache in the PAC apparatus may also be maintained and refreshed by the system software by way of software. Specifically, referring to fig. 7, system software (such as an Operating System (OS)) may directly control the PAC device, and before a driver (driver) corresponding to an accelerator or an IO device starts a service operation, the system software allocates related resources for the PAC device, establishes a corresponding protection flow table entry in a protection flow table, and sets control configuration information. In addition, the system software also establishes a physical page table protection table corresponding to the accelerator or the IO equipment in the PAC device, and configures the access authority of the related physical address in the corresponding physical page table protection table.
The general flow involved in the memory protection method provided in the embodiment of the present application is described in detail below by the flowcharts in fig. 8a to 8 d.
1. Initialization of
Referring to FIG. 8a, first the system management software discovers the accelerator/IO devices and the system software enables the ATS mechanism. The system software establishes a corresponding protection flow table entry for the accelerator/IO device according to the flow identification or device identification (such as stream ID or request ID) of the accelerator/IO device, and initializes the protection flow table entry. The system software then initiates the accelerator to begin operation.
When initializing, the system software does not need to traverse the whole physical page table protection table, and the authority bit of each physical page table is set to 00b one by one (which indicates no read authority and no write authority). But can initialize the protection flow table entry corresponding to the accelerator/IO device, wherein the Zero bit position is 1, which indicates that the accelerator/IO device corresponding to the flow identifier has no read permission and write permission, i.e. the global permission of the protection table corresponding to the physical page table is unreadable and unwritable.
The system software can also set other control configuration information such as the base address and the boundary size of the physical page table protection table corresponding to the accelerator/IO device in the memory during initialization.
2. Protection table refresh
Referring to FIG. 8b, when an ATC local to an accelerator/IO device is missing, the accelerator/IO device may request address translation from the IOMMU/SMMU via the ATS mechanism. After the address translation is completed, the IOMMU/SMMU may return the corresponding address translation result to the accelerator/IO device, and in addition, the IOMMU/SMMU may send the address translation result and related information to the PAC apparatus in the present application synchronously. The address translation result comprises a physical address of an address space requested to be accessed by the accelerator/IO device, and the related information can comprise a flow identification of the accelerator/IO device and authority information of a corresponding physical page table.
The PAC apparatus may then determine whether its local protection table cache corresponding to the flow identifier of the accelerator/IO device has access rights to it. If the authority information of the corresponding physical page table exists in the protection table cache and the authority information in the protection table cache is consistent with the authority information provided by the IOMMU/SMMU, the PAC device does not need to do anything; if the authority information of the corresponding physical page table exists in the protection table cache, but the authority information in the protection table cache is inconsistent with the authority information provided by the IOMMU/SMMU, refreshing the authority information of the corresponding physical page table in the protection table cache by the PAC device, and writing the authority information back to the corresponding physical page table protection table (Physical Page Protection Table, PPPT); if the protection table cache does not have the authority information of the corresponding physical page table, the PAC device establishes an entry cache of the corresponding physical page table in the protection table cache, and writes the authority information of the physical page table into the corresponding physical page table protection table.
3. Memory access
Referring to fig. 8c, after the accelerator/IO device obtains the physical address, the memory access is initiated, and all memory access requests are checked for access rights by the PAC apparatus in the present application. If it is found at this time that the check switch bit in the protection table flow table entry corresponding to the flow being accessed is not on (i.e., the EN field indicates that the access is not checked for a new o), then the access is routed directly forward. Otherwise, if an access request of the accelerator/IO device to access the system memory using the physical address arrives before the physical page table protection table is initialized (i.e., the ZERO field indicates that the global authority information is unreadable and unwritable, or the ZERO field is considered invalid), or the value after the physical address granularity alignment of the access is greater than the boundary range of the physical page table protection table, the access is directly prevented, and an event is reported to the system software. Otherwise, judging whether authority information corresponding to the physical page table exists in a protection table cache in the PAC device at the moment, if not, loading the authority information corresponding to the physical page table in the protection table cache of the physical page table, and then performing authority checking; otherwise, directly reading the authority information of the corresponding physical page table in the protection table cache to perform authority checking. If the entitlement check passes, the access may be routed forward, otherwise, the access is blocked and an event is reported to the software.
4. Invalidation of protection tables
Referring to FIG. 8d, the corresponding physical page table may be updated during the progress of the process. If there is a new physical page table to be established or there is a change in the mapping between the previous virtual address to the physical address, the PAC apparatus of the present application also performs a corresponding process. At this point, the system software may choose to invalidate part of the page table map or invalidate all page tables belonging to this process. In either case, the page table management module of the system needs to know which page tables of a particular physical page table need to be invalidated. At this time, the information is synchronized to the PAC device, and then the PAC device may mark a buffer entry corresponding to the invalid page table in the protection table buffer as a dirty (dirty) state, refresh authority information of the relevant invalid page table in the physical page table protection table, and refresh a corresponding protection flow table entry or sub protection flow table entry in the protection flow table.
The invalidation may also be a sub-StreamID based global invalidation, which means that an invalidation operation will affect all relevant physical page tables under this sub-StreamID, or a StreamID based global invalidation, which means that an invalidation operation will affect all relevant physical page tables under this StreamID.
The embodiment of the present application further provides a protection agent control device, please refer to fig. 9, which is a schematic structural diagram of the protection agent control device provided in the embodiment of the present application, where the protection agent control device 900 includes: a communication module 910 and a processing module 920. The protection agent control device may be used to implement any of the method embodiments described above.
Illustratively, when the protection agent control device executes the method embodiment shown in fig. 6, the communication module 910 is configured to receive a memory access request from an accelerator or an input/output IO device, where the memory access request includes an identifier of a data stream of the accelerator or the IO device and a first physical address for requesting access; the processing module 920 is configured to read, according to an identifier of a data stream of the accelerator or the IO device, rights information corresponding to a first physical page table where a first physical address is located, where the rights information corresponding to the first physical page table is used to indicate whether the data stream has a read right and/or a write right in the first physical page table; and performing authority checking on the memory access request according to the authority information corresponding to the first physical page table, and if the authority checking is passed, allowing the memory access request to access the first physical address.
The processing module 920 involved in the protection agent control device may be implemented by a processor or processor-related circuit component, and the communication module 910 may be implemented by a transceiver or transceiver-related circuit component. The operations and/or functions of each module in the protection agent control device are respectively for implementing the corresponding flow of the method shown in fig. 6, fig. 7, fig. 8a, fig. 8b, fig. 8c or fig. 8d, and are not described herein for brevity.
The embodiment of the application also provides a chip system, which comprises: a processor coupled to a memory for storing programs or instructions which, when executed by the processor, cause the system-on-a-chip to implement the method of any of the method embodiments described above.
Alternatively, the processor in the system-on-chip may be one or more. The processor may be implemented in hardware or in software. When implemented in hardware, the processor may be a logic circuit, an integrated circuit, or the like. When implemented in software, the processor may be a general purpose processor, implemented by reading software code stored in a memory.
Alternatively, the memory in the system-on-chip may be one or more. The memory may be integral with the processor or separate from the processor, and is not limited in this application. For example, the memory may be a non-transitory processor, such as a ROM, which may be integrated on the same chip as the processor, or may be separately provided on different chips, and the type of memory and the manner of providing the memory and the processor are not specifically limited in this application.
The system-on-chip may be, for example, a field programmable gate array (field programmable gate array, FPGA), an application specific integrated chip (application specific integrated circuit, ASIC), a system on chip (SoC), a central processing unit (central processor unit, CPU), a network processor (network processor, NP), a digital signal processing circuit (digital signal processor, DSP), a microcontroller (micro controller unit, MCU), a programmable controller (programmable logic device, PLD) or other integrated chip.
It will be appreciated that the steps of the method embodiments described above may be carried out by logic circuitry in a processor or instructions in the form of software. The steps of a method disclosed in connection with the embodiments of the present application may be embodied directly in a hardware processor or in a combination of hardware and software modules in a processor.
The embodiment of the application also provides a computer readable storage medium, wherein computer readable instructions are stored in the computer storage medium, and when the computer reads and executes the computer readable instructions, the computer is caused to execute the method in the embodiment of the method.
The present application also provides a computer program product, which when read and executed by a computer, causes the computer to perform the method of the above-described method embodiments.
The embodiment of the application provides a computer system, which comprises a protection agent control device, a CPU, at least one accelerator of a third party or IO equipment, wherein the CPU, the accelerator of at least one third party or the IO equipment are coupled with the protection agent control device.
It is to be appreciated that the processors referred to in the embodiments of the present application may be CPUs, but may also be other general purpose processors, DSP, ASIC, FPGA or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
It should also be understood that the memory referred to in the embodiments of the present application may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The nonvolatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. The volatile memory may be random access memory (random access memory, RAM) which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), synchronous DRAM (SLDRAM), and direct memory bus RAM (DR RAM).
Note that when the processor is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, the memory (storage module) is integrated into the processor.
It should be noted that the memory described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
It should be understood that the various numbers referred to in the various embodiments of the present application are merely for convenience of description and the size of the sequence numbers of the above processes does not mean that the execution sequence of the processes should be determined by the functions and internal logic of the processes, and should not constitute any limitation on the implementation process of the embodiments of the present invention.
In the various embodiments of the application, if there is no specific description or logical conflict, terms and/or descriptions between the various embodiments are consistent and may reference each other, and features of the various embodiments may be combined to form new embodiments according to their inherent logical relationships.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a mobile hard disk, a read-only memory, a random access memory, a magnetic disk or an optical disk.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (25)

  1. A memory protection method, the method comprising:
    receiving a memory access request from an accelerator or an input/output (IO) device, wherein the memory access request comprises an identifier of a data stream of the accelerator or the IO device and a first physical address for requesting access;
    reading authority information corresponding to a first physical page table where the first physical address is located according to the identification of the data stream of the accelerator or the IO device, wherein the authority information corresponding to the first physical page table is used for indicating whether the data stream has a read authority and/or a write authority in the first physical page table;
    and performing authority check on the memory access request according to the authority information corresponding to the first physical page table, and allowing the memory access request to access the first physical address if the authority check is passed.
  2. The method of claim 1, wherein the reading authority information corresponding to a first physical page table where the first physical address is located according to the identifier of the data stream of the accelerator or the IO device includes:
    determining a physical page table protection table and a protection table cache corresponding to the data stream according to the identification of the data stream of the accelerator or the IO device, wherein the physical page table protection table stores authority information corresponding to at least one physical page table, and the protection table cache is the cache of the physical page table protection table;
    Judging whether authority information corresponding to the first physical page table exists in the protection table cache according to the identification of the first physical page table, and if so, reading the authority information corresponding to the first physical page table from the protection table cache;
    if the authority information does not exist, the authority information corresponding to the first physical page table is read from the physical page table protection table, and the authority information corresponding to the first physical page table is loaded into the protection table cache.
  3. The method of claim 2, wherein one entry of the protection table cache stores authority information corresponding to one or more physical page tables, and an entry of each physical page table in which the authority information corresponding to the physical page table is located in the protection table cache is indexed according to a hash value of an identifier of the physical page table.
  4. The method of claim 1, wherein the reading authority information corresponding to a first physical page table where the first physical address is located according to the identifier of the data stream of the accelerator or the IO device includes:
    determining a physical page table protection table corresponding to the data stream according to the identification of the data stream of the accelerator or the IO device, wherein the physical page table protection table stores authority information corresponding to at least one physical page table;
    And reading the authority information corresponding to the first physical page table from the physical page table protection table according to the identification of the first physical page table.
  5. The method according to any one of claims 1 to 4, wherein before the reading, according to the identifier of the data stream of the accelerator or the IO device, permission information corresponding to a first physical page table where the first physical address is located, the method further includes:
    reading a protection flow table entry corresponding to a flow identifier of a data flow of the accelerator or the IO device in a protection flow table, wherein the protection flow table entry comprises first control information and second control information, the first control information is used for indicating whether global authority information of a physical page table protection table corresponding to the data flow is unreadable or not, and the second control information is used for indicating a boundary range of the physical page table protection table;
    if the global authority information of the physical page table protection table is not unreadable or unwritable according to the first control information and the second control information, and the first physical address is located in the boundary range of the physical page table protection table, the authority information corresponding to the first physical page table where the first physical address is located is read.
  6. The method of claim 5, wherein the protection flow table entry further includes third control information, the third control information indicating a protection granularity of the physical page table protection table;
    before the authority information corresponding to the first physical page table where the first physical address is located is read, the method further includes:
    and determining a first physical page table where the first physical address is located according to the boundary range and the protection granularity of the physical page table protection table.
  7. The method according to claim 5 or 6, wherein the protection flow table entry further includes fourth control information, the fourth control information being used to indicate whether a function of checking memory access rights is opened for the data flow;
    after the protection flow table entry corresponding to the flow identifier of the data flow of the accelerator or the IO device in the protection flow table is obtained, the method further includes:
    and according to the fourth control information, determining that the function for checking the memory access authority for the data stream is started.
  8. The method according to any one of claims 1 to 7, further comprising:
    receiving an identification of a data stream of the accelerator or the IO device, the first physical address and authority information of the accelerator or the IO device for accessing the first physical address from a translation proxy unit;
    If the authority information corresponding to the first physical page table where the first physical address is located exists in the protection table cache corresponding to the data stream, and the authority information corresponding to the first physical page table in the protection table cache is inconsistent with the authority information of the accelerator or the IO device which is received from the translation proxy unit and accesses the first physical address, updating the physical page table protection table corresponding to the data stream and the authority information corresponding to the first physical page table in the protection table cache according to the authority information of the accelerator or the IO device which is received from the translation proxy unit and accesses the first physical address.
  9. The method of claim 8, wherein the method further comprises:
    if the authority information corresponding to the first physical page table where the first physical address is located does not exist in the protection table cache corresponding to the data stream, the authority information of the accelerator or the IO device, which is received from the translation proxy unit and accesses the first physical address, is used as the authority information corresponding to the first physical page table where the first physical address is located, and is written into the physical page table protection table corresponding to the data stream and/or the protection table cache respectively.
  10. The method according to any one of claims 1 to 9, further comprising:
    receiving page table invalidation information from a page table management module, the page table invalidation information comprising an identification of a data stream of the accelerator or IO device and an identification of one or more physical page tables that are invalidated;
    and updating authority information corresponding to the invalidated one or more physical page tables in the protection table cache corresponding to the data flow and the physical page table protection table into unreadable and unwritable data.
  11. The method according to any one of claims 1 to 9, further comprising:
    receiving page table invalidation information from a page table management module, wherein the page table invalidation information comprises identification of a data stream of the accelerator or the IO device and indication information for performing global invalidation on a physical page table related to the data stream;
    and setting the global authority information of the physical page table protection table corresponding to the data flow stored in the protection flow table entry corresponding to the identification of the data flow in the protection flow table as unreadable and unwritable.
  12. A protection agent control device, the device comprising a processor and a communication interface; wherein,
    The communication interface is used for receiving a memory access request from an accelerator or an input/output (IO) device, wherein the memory access request comprises an identifier of a data stream of the accelerator or the IO device and a first physical address for requesting access;
    the processor is configured to read authority information corresponding to a first physical page table where the first physical address is located according to an identifier of a data stream of the accelerator or the IO device, where the authority information corresponding to the first physical page table is used to indicate whether the data stream has a read authority and/or a write authority in the first physical page table;
    and performing authority check on the memory access request according to the authority information corresponding to the first physical page table, and if the authority check is passed, allowing the memory access request to access the first physical address.
  13. The apparatus of claim 12, wherein the processor is specifically configured to:
    determining a physical page table protection table and a protection table cache corresponding to the data stream according to the identification of the data stream of the accelerator or the IO device, wherein the physical page table protection table stores authority information corresponding to at least one physical page table, and the protection table cache is the cache of the physical page table protection table;
    Judging whether authority information corresponding to the first physical page table exists in the protection table cache according to the identification of the first physical page table, and if so, reading the authority information corresponding to the first physical page table from the protection table cache;
    if the authority information does not exist, the authority information corresponding to the first physical page table is read from the physical page table protection table, and the authority information corresponding to the first physical page table is loaded into the protection table cache.
  14. The apparatus of claim 13, wherein one entry of the protection table cache stores authority information corresponding to one or more physical page tables, and wherein an entry of each physical page table in which the authority information corresponding to the physical page table is located in the protection table cache is indexed according to a hash value of an identification of the physical page table.
  15. The apparatus of claim 12, wherein the processor is specifically configured to:
    determining a physical page table protection table corresponding to the data stream according to the identification of the data stream of the accelerator or the IO device, wherein the physical page table protection table stores authority information corresponding to at least one physical page table;
    and reading the authority information corresponding to the first physical page table from the physical page table protection table according to the identification of the first physical page table.
  16. The apparatus of any one of claims 12 to 15, wherein the processor is further configured to:
    reading a protection flow table entry corresponding to a flow identifier of a data flow of the accelerator or the IO device in a protection flow table, wherein the protection flow table entry comprises first control information and second control information, the first control information is used for indicating whether global authority information of a physical page table protection table corresponding to the data flow is unreadable or not, and the second control information is used for indicating a boundary range of the physical page table protection table;
    if the global authority information of the physical page table protection table is not unreadable or unwritable according to the first control information and the second control information, and the first physical address is located in the boundary range of the physical page table protection table, the authority information corresponding to the first physical page table where the first physical address is located is read.
  17. The apparatus of claim 16, wherein the protection flow table entry further comprises third control information, the third control information being used to indicate a protection granularity of the physical page table protection table;
    the processor is further configured to determine a first physical page table where the first physical address is located according to a boundary range and a protection granularity of the physical page table protection table.
  18. The apparatus according to claim 16 or 17, wherein the protection flow table entry further includes fourth control information, the fourth control information being used to indicate whether a function of checking memory access rights is opened for the data flow;
    the processor is further configured to determine, according to the fourth control information, that a function of checking memory access rights with respect to the data stream is turned on.
  19. The apparatus according to any one of claims 12 to 18, wherein the communication interface is further configured to:
    receiving an identification of a data stream of the accelerator or the IO device, the first physical address and authority information of the accelerator or the IO device for accessing the first physical address from a translation proxy unit;
    the processor is further configured to:
    if the authority information corresponding to the first physical page table where the first physical address is located exists in the protection table cache corresponding to the data stream, and the authority information corresponding to the first physical page table in the protection table cache is inconsistent with the authority information of the accelerator or the IO device which is received from the translation proxy unit and accesses the first physical address, updating the physical page table protection table corresponding to the data stream and the authority information corresponding to the first physical page table in the protection table cache according to the authority information of the accelerator or the IO device which is received from the translation proxy unit and accesses the first physical address.
  20. The apparatus of claim 19, wherein the processor is further configured to:
    if the authority information corresponding to the first physical page table where the first physical address is located does not exist in the protection table cache corresponding to the data stream, the authority information of the accelerator or the IO device, which is received from the translation proxy unit and accesses the first physical address, is used as the authority information corresponding to the first physical page table where the first physical address is located, and is written into the physical page table protection table corresponding to the data stream and/or the protection table cache respectively.
  21. The apparatus according to any one of claims 12 to 20, wherein the communication interface is further configured to:
    receiving page table invalidation information from a page table management module, the page table invalidation information comprising an identification of a data stream of the accelerator or IO device and an identification of one or more physical page tables that are invalidated;
    the processor is further configured to:
    and updating authority information corresponding to the invalidated one or more physical page tables in the protection table cache corresponding to the data flow and the physical page table protection table into unreadable and unwritable data.
  22. The apparatus according to any one of claims 12 to 20, wherein the communication interface is further configured to:
    Receiving page table invalidation information from a page table management module, wherein the page table invalidation information comprises identification of a data stream of the accelerator or the IO device and indication information for performing global invalidation on a physical page table related to the data stream;
    the processor is further configured to:
    and setting the global authority information of the physical page table protection table corresponding to the data flow stored in the protection flow table entry corresponding to the identification of the data flow in the protection flow table as unreadable and unwritable.
  23. A communication device, the communication device comprising:
    a memory for storing instructions;
    at least one processor for invoking and executing the instructions from the memory to cause the communication device to implement the method of any of claims 1-11.
  24. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program which, when run on a computer, causes the computer to perform the method according to any one of claims 1-11.
  25. A computer program product, characterized in that the computer program product comprises a computer program which, when run on a computer, causes the computer to perform the method according to any one of claims 1-11.
CN202080104550.1A 2020-07-31 2020-07-31 Memory protection method and protection agent control device Pending CN116249972A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/106451 WO2022021446A1 (en) 2020-07-31 2020-07-31 Memory protection method and protection proxy control apparatus

Publications (1)

Publication Number Publication Date
CN116249972A true CN116249972A (en) 2023-06-09

Family

ID=80037424

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202080104550.1A Pending CN116249972A (en) 2020-07-31 2020-07-31 Memory protection method and protection agent control device

Country Status (4)

Country Link
US (1) US20230176984A1 (en)
EP (1) EP4180976A4 (en)
CN (1) CN116249972A (en)
WO (1) WO2022021446A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118312449A (en) * 2024-06-07 2024-07-09 摩尔线程智能科技(北京)有限责任公司 Memory management unit and method, chip and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101090401A (en) * 2007-05-25 2007-12-19 金蝶软件(中国)有限公司 Data buffer store method and system at duster environment
CN106502926A (en) * 2016-09-26 2017-03-15 华为技术有限公司 A kind of internal memory monitoring method, internal storage access controller and SoC systems
CN111291079A (en) * 2020-02-20 2020-06-16 京东数字科技控股有限公司 Data query method and device

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015089488A1 (en) * 2013-12-12 2015-06-18 Memory Technologies Llc Channel optimized storage modules
CN106484531B (en) * 2016-09-18 2019-12-24 上海顺久电子科技有限公司 Memory access arbitration method, circuit and device
CN107220189A (en) * 2017-03-14 2017-09-29 晨星半导体股份有限公司 Memory headroom is managed and memory access control method and device
US10878859B2 (en) * 2017-12-20 2020-12-29 Micron Technology, Inc. Utilizing write stream attributes in storage write commands
CN109739806A (en) * 2018-12-28 2019-05-10 安谋科技(中国)有限公司 Memory pool access method, internal storage access controller and system on chip
CN111124814A (en) * 2019-12-05 2020-05-08 珠海市杰理科技股份有限公司 SOC memory access monitoring method and device and computer equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101090401A (en) * 2007-05-25 2007-12-19 金蝶软件(中国)有限公司 Data buffer store method and system at duster environment
CN106502926A (en) * 2016-09-26 2017-03-15 华为技术有限公司 A kind of internal memory monitoring method, internal storage access controller and SoC systems
CN111291079A (en) * 2020-02-20 2020-06-16 京东数字科技控股有限公司 Data query method and device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118312449A (en) * 2024-06-07 2024-07-09 摩尔线程智能科技(北京)有限责任公司 Memory management unit and method, chip and electronic equipment
CN118312449B (en) * 2024-06-07 2024-08-16 摩尔线程智能科技(北京)有限责任公司 Memory management unit and method, chip and electronic equipment

Also Published As

Publication number Publication date
EP4180976A4 (en) 2023-09-06
EP4180976A1 (en) 2023-05-17
WO2022021446A1 (en) 2022-02-03
US20230176984A1 (en) 2023-06-08

Similar Documents

Publication Publication Date Title
US10509736B2 (en) Controlling access by IO devices to pages in a memory in a computing device
EP3491520B1 (en) Controlling access to pages in a memory in a computing device
US10169244B2 (en) Controlling access to pages in a memory in a computing device
US10564997B2 (en) Computing system for securely executing a secure application in a rich execution environment
EP2997477B1 (en) Page table data management
US8296538B2 (en) Storing secure mode page table data in secure and non-secure regions of memory
JP7443519B2 (en) Method and apparatus for a first operating system to access resources of a second operating system
EP2994837B1 (en) Multi-core page table sets of attribute fields
US9146879B1 (en) Virtual memory management for real-time embedded devices
US20180121125A1 (en) Method and apparatus for managing resource access control hardware in a system-on-chip device
US11567666B2 (en) Handling the migration of pages of memory accessible by input-output devices
US20220308756A1 (en) Performing Memory Accesses for Input-Output Devices using Encryption Keys Associated with Owners of Pages of Memory
CN113486410B (en) Method for protecting data security, CPU core, CPU chip and electronic equipment
US11561898B1 (en) Address expansion
US20230176984A1 (en) Memory protection method and protection proxy control apparatus
EP4272081A1 (en) Migrating pages of memory accessible by input-output devices
WO2019177721A1 (en) Memory objects
US11188477B2 (en) Page protection layer
US11954026B1 (en) Paging hierarchies for extended page tables and extended page attributes
CN116964564A (en) Increasing address space layout randomization entropy by page remapping and rotation
US20240329859A1 (en) Storage I/O Management Unit for Solid-State Drives
US10628328B2 (en) Methods and systems including a memory-side memory controller configured to interpret capabilities to provide a requested dataset to a central processing unit
WO2023064590A1 (en) Software indirection level for address translation sharing
WO2023064609A1 (en) Translation tagging for address translation caching
JP5324676B2 (en) Processor, bus interface device, and computer system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination